Hi,
I have a number of DNAT rules in place to make services accessible to the outside world. The config looks like this:
set nat destination rule 10 destination port ‘22’
set nat destination rule 10 inbound-interface ‘eth0’
set nat destination rule 10 protocol ‘tcp’
set nat destination rule 10 translation address ‘192.168.10.2’
set nat destination rule 20 destination port ‘80’
set nat destination rule 20 inbound-interface ‘eth0’
set nat destination rule 20 protocol ‘tcp’
set nat destination rule 20 translation address ‘192.168.10.2’
set nat destination rule 30 destination port ‘443’
set nat destination rule 30 inbound-interface ‘eth0’
set nat destination rule 30 protocol ‘tcp’
set nat destination rule 30 translation address ‘192.168.10.2’
set nat destination rule 40 destination port ‘1194’
set nat destination rule 40 inbound-interface ‘eth0’
set nat destination rule 40 protocol ‘udp’
set nat destination rule 40 translation address ‘192.168.200.2’
These are the corresponding firewall settings:
set firewall name WAN-in default-action ‘drop’
set firewall name WAN-in rule 10 action ‘accept’
set firewall name WAN-in rule 10 state established ‘enable’
set firewall name WAN-in rule 10 state related ‘enable’
set firewall name WAN-in rule 99 action ‘drop’
set firewall name WAN-in rule 99 destination port ‘22’
set firewall name WAN-in rule 99 protocol ‘tcp’
set firewall name WAN-in rule 99 source group network-group ‘badguys’
set firewall name WAN-in rule 100 action ‘reject’
set firewall name WAN-in rule 100 destination port ‘22’
set firewall name WAN-in rule 100 protocol ‘tcp’
set firewall name WAN-in rule 100 recent count ‘1’
set firewall name WAN-in rule 100 recent time ‘1800’
set firewall name WAN-in rule 100 state new ‘enable’
set firewall name WAN-in rule 110 action ‘accept’
set firewall name WAN-in rule 110 destination address ‘192.168.10.2’
set firewall name WAN-in rule 110 destination port ‘22’
set firewall name WAN-in rule 110 protocol ‘tcp’
set firewall name WAN-in rule 120 action ‘accept’
set firewall name WAN-in rule 120 destination address ‘192.168.10.2’
set firewall name WAN-in rule 120 destination port ‘80’
set firewall name WAN-in rule 120 protocol ‘tcp’
set firewall name WAN-in rule 130 action ‘accept’
set firewall name WAN-in rule 130 destination address ‘192.168.10.2’
set firewall name WAN-in rule 130 destination port ‘443’
set firewall name WAN-in rule 130 protocol ‘tcp’
set firewall name WAN-in rule 140 action ‘accept’
set firewall name WAN-in rule 140 destination address ‘192.168.200.2’
set firewall name WAN-in rule 140 destination port ‘1194’
set firewall name WAN-in rule 140 protocol ‘udp’
set interfaces ethernet eth0 firewall in name ‘WAN-in’
This setup has worked in the past, but now DNAT rule 20 does not seem to work anymore. Strangely, browser requests on port 80 yield a message from 192.168.200.2 (another VyOS machine), displaying a Squid error 111 message.
The only thing that has changed since it last worked as intended was my ISP device. It no longer does NAT but now works in bridge mode, i.e. VyOS’s eth0 interface now has a WAN IP address.
Any help is appreciated, thank you very much!
EDIT: I might add that the forwards to 22/TCP, 443/TCP and 1194/UDP work as expected. I really have no idea as to why 192.168.200.2 should receive the requests rather than 192.168.10.2
I am at a total loss right now…
Also, I edited the thread title to better describe the symptom.